Django accounts management app ( login and change password

What can you expect from this article?

We started working on the accounts app in the previous article, this article will build on it. It will cover

• Serializers for login, refresh token, and change password requests
• Views for the same APIs, login, refresh token and change password
• And of course the URLs.

I'll try to cover as many details as possible without boring you, but I still expect you to be familiar with some aspects of Python and Django.

the final version of the source code can be found at https://github.com/saad4software/alive-diary-backend

Series order

Check previous articles if interested!

1. AI Project from Scratch, The Idea, Alive Diary
2. Prove it is feasible with Google AI Studio
3. Django API Project Setup
4. Django accounts management app (1), registration and activation
5. Django accounts management app (2), login and change password (You are here ?)

Login and Refresh APIs in a Hurry!

Well, if you are in a hurry and don't have some complicated user management and user role system, you can simply follow the instructions in SimpleJWT documentation, you won't have to create serializers or views, just edit the URLs file as follows

from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', TokenObtainPairView.as_view()),
    path('refresh/', TokenRefreshView.as_view()),
]

app_account/urls.py

You are good to go, now running the app using

python manage.py runserver 0.0.0.0:8555

and opening the URL http://localhost:8555/api/account/login/ will allow you to log in, and the http://localhost:8555/api/account/refresh/ will allow you to refresh the token

Nice and easy, but what if we need to customize the token response? Actually, I would like this response to follow the same response schema we built in previous article, and also to get the role field for the UI to distinguish a normal user from an Admin, how to do so?

Customize Login API

To get responses to follow our schema, we can simply create an empty serializer that inherits from TokenObtainPairSerializer

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer

class LoginSerializer(TokenObtainPairSerializer):
    pass

app_account/serializers.py

and pass it to a login view that uses our custom renderer

from rest_framework_simplejwt.views import TokenViewBase

class AccountLoginView(TokenViewBase):
    serializer_class = LoginSerializer
    renderer_classes = [CustomRenderer, BrowsableAPIRenderer]

app_account/views.py

Logging in response should follow our schema now. just make sure to update the URLs file to point to our custom login view

from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', AccountLoginView.as_view()),
    path('refresh/', TokenRefreshView.as_view()),
]

app_account/urls.py

adding the role field is kinda tricky, easiest way would be to overwrite the validate function in the serializer, and with the help of this from simple JWT, we got

from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', TokenObtainPairView.as_view()),
    path('refresh/', TokenRefreshView.as_view()),
]

app_account/serializers.py

We started by getting the user object, if it doesn't exist or the password doesn't match, it raises an error with "invalid_credentials" message, then we make sure the user is active, and finally, we get the token and build the response. Let's try it now!

I know it looks like too much hustle for a simple goal! but it gives us control over the validation behavior and allows us to add any other fields. Let's add the user info

python manage.py runserver 0.0.0.0:8555

app_account/serializers.py

Customize Refresh token API

Do it again, do it better!

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer

class LoginSerializer(TokenObtainPairSerializer):
    pass

app_account/serializer.py

this will give us new access and refresh tokens, and also the role and user data, if we don't need the extra fields, we can simply use an empty serializer class (with pass) that inherits from TokenRefreshSerializer
The refresh view should look like this

from rest_framework_simplejwt.views import TokenViewBase

class AccountLoginView(TokenViewBase):
    serializer_class = LoginSerializer
    renderer_classes = [CustomRenderer, BrowsableAPIRenderer]

app_account/views.py

It uses our new RefreshTokenSerializer and CustomRenderer, don't forget to update the URLs file

from django.urls import path, include
from .views import *
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('register/', AccountRegisterView.as_view()),
    path('activate/', AccountActivateView.as_view()),
    path('login/', AccountLoginView.as_view()),
    path('refresh/', TokenRefreshView.as_view()),
]

app_account/urls.py
great! testing it should return something like this

Change password API

As always. Let's start with the serializer

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from django.contrib.auth import get_user_model

class LoginSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        username = attrs['username']
        user = get_user_model().objects.filter(username=username).first()

        if not user or not user.check_password(attrs['password']):
            raise serializers.ValidationError("invalid_credentials")

        if not user.is_active:
            raise serializers.ValidationError("not_active")

        refresh = self.get_token(user)

        data = {
            'refresh': str(refresh),
            'access': str(refresh.access_token),
            'role': user.role,
        }

        return data

app_account/serializers.py

It is a custom serializer, with two required char fields. moving to the view

class UserSerializer(serializers.ModelSerializer):

    class Meta:
        model = get_user_model()
        fields = (
            'first_name', 
            'last_name', 
            'username', 
            'country_code', 
            'expiration_date',
            'hobbies',
            'job',
            'bio',
            'role',
        )
        read_only_fields = ['username', 'role',  'expiration_date']


class LoginSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        username = attrs['username']
        user = get_user_model().objects.filter(username=username).first()

        if not user or not user.check_password(attrs['password']):
            raise serializers.ValidationError("invalid_credentials")

        if not user.is_active:
            raise serializers.ValidationError("not_active")

        refresh = self.get_token(user)

        data = {
            'refresh': str(refresh),
            'access': str(refresh.access_token),
            'user': UserSerializer(user).data,
            'role': user.role,
        }

        return data

app_account/views.py

This request requires an authenticated user, so we used IsAuthenticated as a permission class, of course, we used our custom renderer class. for the POST request, we start by making sure the request satisfies the serializer types, then check the password validity, if valid; we change it and save the new user model

opening http://localhost:8555/api/account/password/ in the browser would look like this

since it is an authenticated view, it requires the use of bearer token which is not supported by the BrowsableAPIRenderer.
In order to test this (and every authenticated request) we have one of two options

• Use an IDE like postman or insomnia (personally, I prefer Insomnia since it still does not force me to log in)
• Or to use swagger

if you choose the first path, you can ignore the next article! The next article will walk you through implementing Swagger in your Django project

Stay tuned ?

The above is the detailed content of Django accounts management app ( login and change password. For more information, please follow other related articles on the PHP Chinese website!